When the UK ‘taxman’ HMRC hugely reduced email-based scams, fraudsters turned to SMS. Here, Mike Fell, head of operational and cyber security at HMRC, speaks to MEF’s Tim Green about how the agency tackled the new threat.

It’s been said many times that the only certainties are death and taxes.

A bit depressing. But not for the committed fraudster. If everyone has to pay taxes, that means everyone has to come into contact with the tax collector. And right there is a fruitful opportunity to rip people off.

How? By pretending to be ‘the taxman’.

Mike Fell, head of operational and cyber security at HMRC (Her Majesty’s Revenue and Customs – the UK’s tax collection agency) says: “In the UK, HMRC is ubiquitous. So if, for example, you spoof a bank, you only target a portion of adults. But if you spoof HMRC you can target pretty much everyone.”

For this reason, fraudsters have regularly spoofed HMRC since the first email scams began a decade ago.

Though HMRC will never advise customers of tax refunds by email or text, criminals routinely send scam emails that do just this. They then link to fake URLs designed to look like the official ‘gov.uk’ site.

Once there, they dupe the visitor into handing over his or her personal data or banking details.

Happily, HMRC has used consumer education and technological tools to reduce email fraud significantly. Indeed, in the year to April 2018, it identified and initiated the removal of 14,631 malicious HMRC-related sites.

Mike Fell

It estimates it took 300 million phishing emails out of circulation in this time frame.

Great news. But fraudsters don’t give up easily. Instead, they have switched to SMS-based scams. ‘However, just as quickly, HMRC has fought back against them with the help of MNOs and messaging aggregators.

As part of its Future of Messaging Programme, MEF Minute talked to Mike Fell about what HMRC is doing to tackle fraud and the importance of industry collaboration.

Fraud is a problem for everyone. But it seems especially serious for HMRC’s customers. Why is this?

Well, we have to communicate directly with customers – and by customers we mean pretty much every adult in the UK. This communication is central to what we do. If customers have no confidence in that process, it completely undermines our service. We can’t function.

And as I explained, fraudsters know this. They have a bigger target to go after than if they pretend to be a bank for example.

When did SMiShing become a problem?

We first started receiving reports of SMiShing in 2016. Our customer protection team had been working hard to protect the public, and we’d deployed technical controls (DMARC) that prevented 450 million emails purporting to come from HMRC from ever being received. This all helped to make people wiser to the threat, and so the scammers started using the SMS channel.

We found that customers were nine times more likely to fall for SMS scams than email. I think that’s because of the timeliness of the messages, their direct nature and just the general sense of authenticity and credibility.

Also, it didn’t take long for fraudsters to increase the sophistication of their scams. They achieved in three months what took them five years to do with email.

   We started talking to telcos, aggregators and partners like MEF to see if we could protect alpha tags better. In April 2017, we did a pilot, which used SMS ‘firewalls’ to block illegitimate alpha tags… The pilot went far better than any of us expected. We reduced the most credible spoof messages by 90 per cent.”

How did the scams become smarter?

At first fraudsters sent texts with simple embedded links to websites with some similarity to HMRC and gov.uk. But soon we saw co-branded messages that appeared to come from, for example, parcel companies. These messages would request a release fee for goods held up at customs.

How did you fight back?

Soon after, we started receiving reports of ‘alpha tag’ spoofing, where the texts included headers such as ‘HMRC’ rather than the traditional 11 digit ‘07’ mobile numbers. In some cases these spoofed the headers of genuine HMRC texts. As a result, the messages were appearing in the same conversation streams as genuine messages from us. That made it much harder for people to tell the difference between real and fake messages. As a result we stopped using the HMRC alpha tags altogether.

We started talking to telcos, aggregators and partners like MEF to see if we could protect alpha tags better. In April 2017, we did a pilot, which used SMS ‘firewalls’ to block illegitimate alpha tags. The technology identifies fraudulent text messages and stops them before they are even delivered to a phone.

The pilot went far better than any of us expected. We reduced the most credible spoof messages by 90 per cent.

In addition we have tried to make it easier for people to report suspicious HMRC branded texts. It used to be quite hard to do this. People would have to write things down, take screenshots and email details. So one of the services we’ve launched is a short code (60599) that lets people simply forward any message they suspect.

Thanks to measures like this, we have been able redirect over three million visits from bogus sites to genuine gov.uk pages.

Have fraudsters moved on to new scams?

We’re now seeing a move back to more traditional scams, such as phone calls demanding fictitious tax debts and making threats of legal action. One new type of fraud was related to gift cards. Scammers would trick victims into making payments using iTunes vouchers, which can be redeemed and sold on easily.

Obviously, we know fraudsters will constantly change their tactics. But we’re determined to beat them, so we just have to up our game and stay one step ahead.

Features Editor, MEF Minute